[pve-devel] [PATCH container/manager 0/2] add deny read/write options for device passthrough

[pve-devel] [PATCH container/manager 0/2] add deny read/write options for device passthrough

[Filip Schauer]

Add the deny_read and deny_write options for device passthrough, to
restrict container access to devices.

This allows for passing through a device in read-only mode without
giving the container full access it.

Up until now a container with a device passed through to it was granted
full access to that device without an option to restrict that access as
pointed out by @Fiona.

pve-container:

Filip Schauer (1):
  add deny read/write options for device passthrough

 src/PVE/LXC.pm        | 13 ++++++++++++-
 src/PVE/LXC/Config.pm | 10 ++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)


pve-manager:

Filip Schauer (1):
  ui: lxc: add deny read/write options for device passthrough

 www/manager6/lxc/DeviceEdit.js | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)


Summary over all repositories:
  3 files changed, 38 insertions(+), 1 deletions(-)

-- 
Generated by git-murpp 0.6.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH container 1/2] add deny read/write options for device passthrough

[Filip Schauer]

Add the deny_read and deny_write options for device passthrough, to
restrict container access to devices.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 src/PVE/LXC.pm        | 13 ++++++++++++-
 src/PVE/LXC/Config.pm | 10 ++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 65d0fa8..6e2b048 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -651,7 +651,18 @@ sub update_lxc_config {
 	my $major = PVE::Tools::dev_t_major($rdev);
 	my $minor = PVE::Tools::dev_t_minor($rdev);
 	my $device_type_char = S_ISBLK($mode) ? 'b' : 'c';
-	$raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor rw\n";
+	my $allow_perms = $device->{deny_read} ? "" : "r";
+	my $deny_perms = $device->{deny_read} ? "r" : "";
+	$allow_perms .= $device->{deny_write} ? "" : "w";
+	$deny_perms .= $device->{deny_write} ? "w" : "";
+
+	if ($allow_perms) {
+	    $raw .= "lxc.cgroup2.devices.allow = $device_type_char $major:$minor $allow_perms\n";
+	}
+
+	if ($deny_perms) {
+	    $raw .= "lxc.cgroup2.devices.deny = $device_type_char $major:$minor $deny_perms\n";
+	}
     });
 
     # WARNING: DO NOT REMOVE this without making sure that loop device nodes
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 1664a35..5db9181 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -962,6 +962,16 @@ my $dev_desc = {
 	minimum => 0,
 	description => 'Group ID to be assigned to the device node',
     },
+    deny_read => {
+	optional => 1,
+	type => 'boolean',
+	description => 'Deny the container to read from the device',
+    },
+    deny_write => {
+	optional => 1,
+	type => 'boolean',
+	description => 'Deny the container to write to the device',
+    },
 };
 
 for (my $i = 0; $i < $MAX_DEVICES; $i++) {
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 2/2] ui: lxc: add deny read/write options for device passthrough

[Filip Schauer]

Add checkboxes to the device passthrough dialogue for restricting
container read/write access to a passed through device.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 www/manager6/lxc/DeviceEdit.js | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/www/manager6/lxc/DeviceEdit.js b/www/manager6/lxc/DeviceEdit.js
index cdbd9acc..d4b3e34a 100644
--- a/www/manager6/lxc/DeviceEdit.js
+++ b/www/manager6/lxc/DeviceEdit.js
@@ -95,6 +95,20 @@ Ext.define('PVE.lxc.DeviceInputPanel', {
 		return gettext("Access mode has to be an octal number");
 	    },
 	},
+	{
+	    xtype: 'checkbox',
+	    name: 'deny_read',
+	    fieldLabel: gettext('Deny Read in CT'),
+	    labelWidth: 120,
+	    checked: false,
+	},
+	{
+	    xtype: 'checkbox',
+	    name: 'deny_write',
+	    fieldLabel: gettext('Deny Write in CT'),
+	    labelWidth: 120,
+	    checked: false,
+	},
     ],
 });
 
@@ -145,6 +159,8 @@ Ext.define('PVE.lxc.DeviceEdit', {
 		    mode: data.mode,
 		    uid: data.uid,
 		    gid: data.gid,
+		    deny_read: data.deny_read,
+		    deny_write: data.deny_write,
 		};
 
 		ipanel.setValues(values);
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH container 1/2] add deny read/write options for device passthrough

[Fiona Ebner]

Am 29.04.24 um 15:15 schrieb Filip Schauer:
> Add the deny_read and deny_write options for device passthrough, to
> restrict container access to devices.
> 
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>

Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>

> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index 1664a35..5db9181 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -962,6 +962,16 @@ my $dev_desc = {
>  	minimum => 0,
>  	description => 'Group ID to be assigned to the device node',
>      },
> +    deny_read => {
> +	optional => 1,
> +	type => 'boolean',
> +	description => 'Deny the container to read from the device',
> +    },
> +    deny_write => {
> +	optional => 1,
> +	type => 'boolean',
> +	description => 'Deny the container to write to the device',

Nit: missing default for both

> +    },
>  };
>  
>  for (my $i = 0; $i < $MAX_DEVICES; $i++) {


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH container/manager 0/2] add deny read/write options for device passthrough

[Fiona Ebner]

Am 29.04.24 um 15:15 schrieb Filip Schauer:
> Add the deny_read and deny_write options for device passthrough, to
> restrict container access to devices.
> 

In the UI, it think it's enough to expose a checkbox for read-only. Use
cases that deny reads seem a bit esoteric, so I'm not even sure we
should add deny_read in the back-end before somebody complains. But no
strong opinion there.

> This allows for passing through a device in read-only mode without
> giving the container full access it.
> 
> Up until now a container with a device passed through to it was granted
> full access to that device without an option to restrict that access as
> pointed out by @Fiona.
>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH container/manager 0/2] add deny read/write options for device passthrough

[Filip Schauer]

On 24/07/2024 12:20, Fiona Ebner wrote:
> In the UI, it think it's enough to expose a checkbox for read-only. Use
> cases that deny reads seem a bit esoteric, so I'm not even sure we
> should add deny_read in the back-end before somebody complains. But no
> strong opinion there.


I removed the deny_read checkbox from the UI but there is no harm in
keeping the option in the backend, in case someone ends up needing it.

Superseded by:
https://lists.proxmox.com/pipermail/pve-devel/2024-July/064896.html



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel